Rule 920450 and modsec 3x #1741
Comments
|
User airween commented on date 2020-04-22 12:35:26: Hi mirkodziadzka-avi, thanks for the report. Yes, this is an "old" and "know" problem, and guess you saw the PR for modsec 3x :). I'll review the whole rule set for all occurrence of Anyway (just for the sake of completeness), there is an another way to fix (but I'm sure your suggestion is more elegant and clear of course). diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index 880c8c4..666f59b 100644
--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1130,7 +1130,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
severity:'CRITICAL',\
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
chain"
- SecRule TX:/^HEADER_NAME_/ "@within %{tx.restricted_headers}" \
+ SecRule TX:/(?i)^HEADER_NAME_/ "@within %{tx.restricted_headers}" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
User airween commented on date 2020-04-22 21:16:32: First, there is a new PR which fixes this bug. I did some research on how we use the TX variables in There are 3 rule, where the variable contains a regex: Only this one (920450) where the variable name is with uppercase. But there are many other occurrance of I think using of this form contradicts the naming convention. Any opinion? I'm going to make a PR for this issue soon. |
|
User mirkodziadzka-avi commented on date 2020-04-28 09:03:42:
Yes. But for normal access TX:foo and TX:FOO was always be the same (case insensitive). And modsec did not change the behaviour. As far as I know this is true for all collections. And I can see a reason why this is (was?) a good thing to do. I can also find a reason why regexes should be case sensitive by default. Although I do not know if the change between modsec 2 and 3 is on purpose or by accident. By the way, thanks for the fix |
|
User airween commented on date 2020-04-28 10:09:32:
sure, that's no problem, it works as well.
I just found a short text about this behavior in documentation: Variable names are case-insensitive. So because it doesn't matter the variable is with lower or uppercase, if the rule references that with a regex, there also no matter - I assume this is an accident.
You're welcome. |
Issue originally created by user mirkodziadzka-avi on date 2020-04-20 16:01:48.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1741.
Regarding owasp-modsecurity/ModSecurity#2296
We detected this, because rule 920450 is setting
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/'but accessing it viaSecRule TX:/^HEADER_NAME_/I think since modsec 3x seems to be (wrongly) case sensitive on regex, rule 920450 could be changed as
Note that I did not test the new rule, but this case difference is a problem with modsec 3x
The text was updated successfully, but these errors were encountered: